Tuesday, February 11, 2014

[infosecurity-magazine] Hacking a Car with a $20 Gadget

Much has been made of the connected car phenomenon, as more and more vehicles are now coming equipped with connections to cloud services for entertainment and monitoring via 4G or satellite connectivity. While this opens up a new cyber-front for hackers, it turns out that old-fashioned closed-system vehicles are hackable too.

Spanish security researchers Javier Vazquez-Vidal and Alberto Garcia Illera are prepping a presentation for the upcoming Black Hat Asiasecurity conference in Singapore that shows off a prototype of a physical device that can give nefarious types a way to gain control of automobiles’ internal computers in order to essentially wreak havoc. It sounds like the kind of thing that would be useful to spies and criminals in a Tom Clancy novel. Forbes magazine described the gadget:

“A small gadget they built for less than $20 that can be physically connected to a car’s internal network to inject malicious commands affecting everything from its windows and headlights to its steering and brakes. Their tool, which is about three-quarters the size of an iPhone, attaches via four wires to the Controller Area Network or CAN bus of a vehicle, drawing power from the car’s electrical system and waiting to relay wireless commands sent remotely from an attacker’s computer. They call their creation the CAN Hacking Tool, or CHT.”

John Hanson, safety manager of Toyota, dismissed these security concerns and told Forbes, “Our focus, and that of the entire auto industry, is to prevent hacking from a remote wireless device outside of the vehicle."

And indeed, car OEMs and Tier1 suppliers are starting to source security technology, with more than 20 million connected cars forecasted to ship with software-based security by 2020, according to ABI Research.

“So far connected car security has been mainly based on hardware protection and separation with infotainment and vehicle-centric safety systems shielded from each other”, said ABI vice president and practice director, Dominique Bonte. “However, the shift towards cost-effective software-based security based on virtualization, containerization and sandboxing is well under way with Harman and Mentor Graphics as some of the leading vendors.”

However, security is not just about technology. Adopting end-to-end, balanced, and cost-effective risk management practices including security-based design procedures, frequency/severity analysis, audit and monitoring policies and detection and assessment of vulnerabilities through self-induced cyber-attacks will be required to prevent malicious intrusions.

Security is also closely linked to the secondary effect of compromised privacy, a concern that’s exacerbated by the sensitive character of geo-location data. “Connected cars can dramatically improve the driving experience, but companies must be responsible in their use of consumer information,” said Bob Darbelnet, president and CEO of AAA. “The data that today can be routinely collected by cars includes some of the most sensitive data that can be collected about a person, including information about their precise location and driving habits.”

Though connected cars are the next frontier for vehicular security, Vazquez-Vidal and Garcia Illera hope their presentation will highlight existing concerns in automotive cybersecurity—and a much more pervasive weakness in the car’s defenses.